Hi, One of our client has currently below topology to connect all remote sides to main office.
Remote Site-1(SRX240) ----------------------E1----------------- Router --------------GE----------------- Main Office (SRX 650) | | | Remote Site-x(SRX240) ----------------------E1------------------------ Following are other part of configuration: 1. All devices running RIP because Router is very old and need extra support license for OSPF. 2. Route based IPSec tunnel is configured between both Remote site SRX240 and SRX650. 3. All E1 links on remote side and Ge link between SRX650 are in Untrust Zone 4. All st interfaces are in VPN Zone, LAN interfaces are in Trust Zone. 5. Policies are allowed between different sources and destination between VPN and Trust Zone. 6. Traffic is denied between Untrust and VPN/Trust Zone. Client want to remove Router from topology and connect of E1 links on SRX650. We have perform following steps to migrate one link for testing: 1. Remove E1 link from router and connect it to SRX650. 2. Put above E1 link in RIP and Untrust Zone. 3. Put Routing Policies on SRX650 E1 link in RIP to stop learning Trust subnets of remote office from E1 link. So that only routes will learn from St link. 3. We didn't change any VPN configuration on both side and IPSec tunnel is comes up and also traffic is passing. External interface in VPN Configuration on SRX650 still is Ge interface VPN IKE Gateway on Remote site is same Ge interface IP on SRX650. We observe following thing: -- Regards, Muhammad Atif Jauhar (+966-56-00-04-985) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp